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Changes with nginx 1.15.5 02 Oct 2018 


*) Bugfix: a segmentation fault might occur in a worker process when 
using OpenSSL 1.1.0h or newer; the bug had appeared in 1.15.4. 


*) Bugfix: of minor potential bugs. 


Changes with nginx 1.15.4 25 Sep 2018 
*) Feature: now the "ssl early data" directive can be used with OpenSSL. 


*) Bugfix: in the ngx http uwsgi module. 
Thanks to Chris Caputo. 


*) Bugfix: connections with some gRPC backends might not be cached when 
using the "keepalive" directive. 


*) Bugfix: a socket leak might occur when using the "error page" 
directive to redirect early request processing errors, notably errors 
with code 400. 


Bugfix: the "return" directive did not change the response code when 
returning errors if the request was redirected by the "error page" 
directive. 


Bugfix: standard error pages and responses of the 

ngx http autoindex module module used the "bgcolor" attribute, and 
might be displayed incorrectly when using custom color settings in 
browsers. 

Thanks to Nova DasSarma. 


Change: the logging level of the "no suitable key share" and "no 


nginx versions 


e 1.11.x, 1.13.x, 1.15.x - mainline 
° Odd numbers 
° New features are developed here 


с Current version - 1.15.5 


* 1.12.x, 1.14.x - stable 
° Even numbers 
° New stable branch every year 
° Only critical fixes, stable АРІ 


o Current stable version - 1.14.0 
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Usage of Nginx version 1 for websites, 26 Sep 2018, W3Techs.com 
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e Changes in 1.13.x 


о Available т 1.14.0, latest stable version 


e Changes in 1.15.x 


о Available in 1.15.5, latest mainline version 


1.13.х 


Basic TLS 1.3 support, gRPC ргоху module, mirror 
module to enable traffic investigation, HTTP/2 Zu 


TLS 1.3 


e КЕС 8446 


o 


1 


о 


Published in August 2018 
RTT fullhandshake 
Not guaranteed, but usually 


Instead of 2 RTT in previous versions 


e O RTT / early data 


о 


о 


Мо reply protection 


Needs special support - not yet in 1.13.x (but in 1.15.x) 


TLS 1.3 basic support 


server { 
listen 443 ssl; 


ssl protocols TLSv1.1 TLSv1.2 TLSv1.3; 


ssl certificate test.crt; 
ssl certificate test.key; 
} 
* Not enabled by default 
* Works with OpenSSL 1.1.1 
* Only basic support (no early data in 1.13.x) 


TLS 1.3 caveats 


* Might not work with your browser 
о OpenSSL 1.1.1 implements ВЕС 8446 
o Chrome 69 - draft 28 or draft 23 
o Firefox 62 - draft 28 
о Safari on macOS High Sierra - draft 18, disabled by default 


* Can be easily broken by incorrect configuration 


о SSl ecdh curve secp384r1; 


Other SSL improvements 


* Renegotiation with backend servers 
о Disabled due to CVE-2009-3555 - no longer relevant 
« Some backends require renegotiation 
“Тһе Sssl client escaped. cert variable 
о Simplifies passing the certificate to backends 
* Now tcp_nodelay activated before SSL handshake 
o For TLS 1.3, triggers "Nagle vs. Delayed Ack" problem 


Mirror 


location / { 
mirror /mirror; 
proxy_pass http://real-backend; 


} 


location /mirror { 
proxy_pass http://mirror-backend; 
proxy_set_header X-Original-URI S$request uri; 


Mirror: details 


* Uses background subrequests 
o Introduced for proxy. cache background. update, rewritten for mirror 

• Subrequests are executed in parallel with main request 
o Slow subrequest can delay main request 

* The request body is read by default 


e mirror request body off, 


Mirror: development details 


* Fixed an old problem with proxying subreqests with bodies 
o An optimization: request body file closed when response header is received 
o Caused problems with SSI and POST requests 


o Now switched off with subrequests 


* New request processing phase: precontent 
o Used by try files and mirror 


° Can be used for your own modules 


HTTP/2 server push 


* An HTTP/2 protocol feature 

* May improve website latency when used properly 
* But can make you site slower 

* And it will in most cases 


o "Chromes view on Push" by Brad Lassey, 


https://github.com/httpwg/wg-materials/blob/gh-pages/ietf102/chrome. push.pdf 
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HTTP/2 server push 


How to: 
http2_push /css/main.css; 

Push "Link: rel=preload" on proxying: 
http2_push_preload on; 


Use with care 


gRPC proxy 


Proxying and balancing gRPC backends 
Uses HTTP/2 but there are nuances 


o gRPC requires trailers support 
* Designed specially for gRPC 


o No request buffering, no response buffering 


No multiplexing 


Persistent connections with upstream keepalive 


gRPC proxy: example 


server { 
listen 50051 http2; 


location / { 
grpc_pass 127.0.0.2:50051; 
} 


gRPC proxy: keepalive 


upstream backend { 
server 127.0.0.2:50051; 
server 127.0.0.3:50051; 
keepalive 10; 


} 


server { 
listen 50051 http2; 


location / { 
grpc_pass backend; 


} 


Misc 


* CPU affinity on DragonFly BSD 
e Improved CPU cache line size detection 
> sysconf(. SC LEVEL1. DCACHE. LINESIZE) 
* Better compatibility with optimized zlib variants 
* Socket buffers tuning in mail and stream modules 


Misc 2 


e Hostnames in set real ip. from 

* Logging of PID of the process which sent the signal 

e Support for 308 redirections in "return" and "error page 
* Now nginx preserves CAP. NET. RAW on Linux 


o root not needed with "proxy. bind ... transparent; 


e Sssl preread. alpn protocols in the stream module 


Misc 3 


* Escaping can be disabled in access logs 
* log format .. escape=none .. 
* Arbitrary subrequests in memory 
o <!-#include virtual="/file" set="one" --> 


o Previously proxying only, now static files too 
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Misc 4 
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Range requests from an empty file now return 200 


o 


Previously 416, but 200 is also valid and better for the slice module 


Monotonic timers 


o 


o 


clock. gettime(CLOCK. MONOTONIC) 


No more timeouts on system time changes 


PROXY protocol version 2 


o 


Amazon NLB 


Allthese features where developed in 1.13.x branch. 
Available in 1.14.x stable. 


1.19.X 


TLS 1.3, UDP sessions, random 
balancer, and more. | | ы 
Things we are working on: 


TLS 1.3 


* Fixed backend session reuse 
* Now works with BoringSSL 
* Early data support 


TLS 1.3 early data 


How to use early data: 


ssl protocols TLSv1.1 TLSv1.2 TLSv1.3; 
ssl early data on; 


* Noreplay protection 

ә Notat all т BoringSSL 

° Тһе one in OpenSSL breaks session reuse, so disabled 
e The Sssl early. data variable 

o Early-Data header, RFC 8470 
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SSL: better configuration checking 


* Missing certificates for "listen ... ssl" now detected 


server ( 
listen 443 ssl default; 


# no ssl certificate here 


SSL: better configuration checking 


e Тһе "ssl" directive deprecated in favor of ‘listen … ssl" 


server { 
listen 86; 
listen 443; 
ssl on; 

} 


Stream: UDP sessions 


UDP proxying assumed only 1 packet from client 


° Did not work for complex UDP-based protocols, such as DTLS 


Now tries to lookup an existing session 
° Canhandle DTLS 


° Much better speed when there are many packets 


Only works within a worker 


ә Single worker or "listen ... reuseport" 
e Now ‘listen … reuseport" works on FreeBSD 12 
> SO REUSEPORT. LB 
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Stream: Sssl_preread_protocol 


stream { 
тар 5551 preread. protocol Su { 
ds 127.0.0.1:8443; 


default 127.0.0.1:22; 
} 
server { 

listen 443; 


proxy_pass $u; 
ssl_preread on; 


New balancer: random 


upstream { 
random; 
server 192.0.2.1; 
server 192.0.2.2; 
server 192.0.2.3; 


} 


« Faster than round-robin with many backends 


* The same quality with many frontends 
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New balancer: random two 


upstream { 
random two; 
server 192.8.2.1; 
server 192.0.2.2; 
server 192.0.2.3; 


e Two random choices, best of the two is used 


* Almost least conn, but faster 
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Misc 


e Now "reset timedout connection" applies to "return 444" 
о Saves kernel memory and sockets 

* Upstream keepalive limits 
o "keepalive timeout" - prevents a race with connection close by a backend 


o "keepalive requests" - ensures connection-specific allocations will be freed 


Q 
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Allthese features where introduced in 1.15.x branch. 


More are being worked on now. 
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. Thank you! 
= Questions? _ 


Maxim Dounin 


mdounin@mdounin.ru 


